2 weeks Ago
Alex Lanstein is the CTO of StrikeReady , pioneering unified AI-powered Security Command Center solutions for Security Operations Centers. getty Every day, security operations center (SOC) professionals protect their companies’ systems through proactive threat intelligence activities that include gathering information about potential cyberattacks, analyzing their impact and determining the most effective way to respond to them. During a cyberattack, the worth of an SOC is clear.
When everything is burning down, SOCs are the firefighters working to protect an organization’s systems. But how do SOCs demonstrate their worth when nothing is on fire? Unfortunately, some company decision makers may regard SOCs as the seatbelt they can remove because they haven’t been in any accidents lately. Even though they’re getting the benefits of the daily protections SOCs provide, when there’s no clear evidence of this defense, companies may decide that the precautions aren’t worth the cost.
SOCs already know how valuable they are, but it doesn’t matter if no one else sees what they bring to the table. As a result, it’s important for SOCs to actively and consistently prove their worth by changing the way they operate. When SOCs have effectively warded off security breaches, it can be difficult for them to get the visibility and credibility they deserve because nothing is happening.
And when nothing is happening, an organization’s management may be left wondering what the SOC actually does—and why it’s even necessary. To help make the business case for SOCs, leveraging metrics is key. There are numerous points in the analyst workflow that can be highlighted.
• Extracting Indicators: SOCs regularly review threat intelligence reports. It's important to highlight the importance of this work. Outlining all of the domains, IP addresses, hashes and URLs that may have been problematic without their intervention demonstrates how many fires could have burned a company’s system down—but didn’t get a chance to ignite.
• Checking Intelligence Feeds: Often, leaders are overlooking the effort spent to proactively block threats, and they assume the things being prevented are not “novel.” But that is not necessarily the case. SOCs should show how they’ve extracted and searched for indicators that were caught by security tools, on a retroactive basis.
To say it another way, there is very little finished threat intel about today’s threats. Those intel products are released weeks or months from “boom,” so you need to run a retrospective analysis to help tell a better story of the attacks you blocked three months ago. It didn’t happen to you, but it did impact another organization.
Otherwise, there would be no intel. • Reviewing Alerts: Security tools should be maximally implemented and effective, but are they really? SOCs should provide metrics about which tools are producing what quality of alerts on an ongoing basis. Oftentimes, cybersecurity vendors wax and wane with the quality of their detection capabilities, and management should be able to understand when that once-hot vendor starts to taper off in value.
• Searching Logs: Alerts are only as good as the frequency at which they’re generated. Leaders won’t know about threats that no one was warned about, but SOCs will. They can communicate with decision makers about their ability to look at endpoint telemetry, network traffic and browser activity logs to find indicators of threats that were present, but never triggered an alert.
Creating metrics about the time it takes to execute basic hunts (indicator-based searches) shows where telemetry and search horsepower could be improved. • Simulating Attacks: A simulation is a fire that never actually sparked, but one that could have. SOCs should execute controlled threat simulations in virtual environments to determine the effectiveness of security tools for detecting and responding to possible threats.
Since organizations generally don’t track these time-consuming tasks, letting executives know about simulations—or even showing one in action—can illustrate the importance of SOCs' work. Despite the various metrics SOCs can report to their organizations, they generally don’t monitor their effectiveness. One major factor that precludes reporting on metrics is the manual effort it takes.
Developing and updating connectors to collect, analyze and correlate threat intelligence information from various security tools would be extremely onerous. Although security orchestration tools do exist, they require companies to build their own playbooks and manage APIs that can frequently change. This means only the most sophisticated organizations with security engineers can create effective workflows—leaving other companies to toil with the more labor-intensive approach.
However, this doesn’t mean metrics should not be measured at all. If SOC analyst workflow metrics are too challenging to quantify and record, there is another way they can show their value: benchmarking. Establishing benchmarks allows SOCs to adopt a data-based strategy that boosts their effectiveness.
This also allows them to illustrate how many reports have been handled, as well as how much time was spent on each phase of the process. Some of the questions SOCs can use as the foundation for measuring benchmarks include: • How long does it currently take to fully analyze one threat intelligence report? • How many reports should be reviewed per day or week to achieve threat coverage? • Where are the logjams? • Does a tool or manual workflow cause delays? • How can automation be used to increase the speed of these processes without jeopardizing the quality? Answering these questions can be a starting point for how SOCs present their daily activities in a way that’s meaningful to management. Chances are, executives aren’t aware of the numerous activities SOC analysts engage in when there’s no obvious threat to manage.
This problem can be solved by SOCs regularly documenting their efforts through weekly reports. Cybersecurity is a dynamic field, so organizations must shift from a defensive approach to managing threats proactively. However, in order to do this, SOCs must be able to demonstrate the importance of their roles and justify their budgets.
Otherwise, leaders may come to the conclusion that SOCs just aren’t needed. By creating performance benchmarks and measuring how effective they are, SOCs can prove that the data fires that never burn are the most important fires of all. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.
Do I qualify?.
